[Bro] Newbie question Extract Binaries from traffic
Scott P
55sjp55 at gmail.com
Tue Aug 2 02:34:40 PDT 2016
Thank you both. Exactly what I was looking for
On Jul 27, 2016 08:22, "Hosom, Stephen M" <hosom at battelle.org> wrote:
> Scott,
>
> I have an example of how file extraction is usually done on modern Bro
> versions here:
>
> https://github.com/hosom/bro-file-extraction
>
> I'm assuming based on what it looks like you were trying to do that you
> want to extract PE files that appear in HTTP and FTP?
>
> You might try loading the extract-pe.bro script from the plugins directory
> in that repo. It won't limit the extraction to just HTTP and FTP though.
> You'd have to modify the script to get it to do that.
>
> -Stephen
>
> ________________________________________
> From: bro-bounces at bro.org [bro-bounces at bro.org] on behalf of Johanna
> Amann [johanna at icir.org]
> Sent: Tuesday, July 26, 2016 9:13 PM
> To: Scott P
> Cc: bro at bro.org
> Subject: Re: [Bro] Newbie question Extract Binaries from traffic
>
> Hi Scott,
>
> I think the syntax you are using there was retired with Bro 2.2 (or
> potentially earlier). Newer versions of Bro use the file analysis
> framework; Documentation for it is available at
> https://www.bro.org/sphinx-git/frameworks/file-analysis.html
>
> To see an example of someone using the framework, see e.g. the email
> thread at
> http://mailman.icsi.berkeley.edu/pipermail/bro/2015-July/008715.html
>
> I hope this helps,
> Johanna
>
> On Tue, Jul 26, 2016 at 10:08:57AM -0400, Scott P wrote:
> > Newbie question added the following to my local.bro file
> >
> > #Extract EXEs
> > redef HTTP::extract_file_types += /application\/x-dosexec/;
> > redef FTP::extract_file_types += /application\/x-dosexec/;
> >
> > #Extract files to /nsm/bro/extracted
> > redef HTTP::extraction_prefix = "/nsm/bro/extracted/http/http-item";
> > redef FTP::extraction_prefix = "/nsm/bro/extracted/ftp/ftp-file";
> >
> > But when I test against the file I am getting:
> >
> > sudo bro -r http-putty.pcap /opt/bro/share/bro/site/local.bro
> >
> >
> > error in /opt/bro/share/bro/site/local.bro, line 105: "redef" used but
> not
> > previously defined (HTTP::extract_file_types)
> > internal warning in /opt/bro/share/bro/site/local.bro, line 105: Can't
> > document redef of HTTP::extract_file_types, identifier lookup failed
> > error in /opt/bro/share/bro/site/local.bro, line 106: "redef" used but
> not
> > previously defined (FTP::extract_file_types)
> > internal warning in /opt/bro/share/bro/site/local.bro, line 106: Can't
> > document redef of FTP::extract_file_types, identifier lookup failed
> > error in /opt/bro/share/bro/site/local.bro, line 109: "redef" used but
> not
> > previously defined (HTTP::extraction_prefix)
> > internal warning in /opt/bro/share/bro/site/local.bro, line 109: Can't
> > document redef of HTTP::extraction_prefix, identifier lookup failed
> > error in /opt/bro/share/bro/site/local.bro, line 110: "redef" used but
> not
> > previously defined (FTP::extraction_prefix)
> > internal warning in /opt/bro/share/bro/site/local.bro, line 110: Can't
> > document redef of FTP::extraction_prefix, identifier lookup failed
> >
> >
> > Any insight would be helpful.
> >
> > --
> > *Read, *pause, *think,* pause, *write*, pause, (perhaps erase), pause,
> *read,
> > *pause, (perhaps *go back*), pause, *write, ....* -- *Alan Turing (1936)*
>
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160802/649a5ae2/attachment.html
More information about the Bro
mailing list